Connect to Project Isizwe WiFi at own risk

Connecting to the Project Isizwe free public WiFi offering is a risk worth taking, says CIO James Devine.

Users must connect to the Project Isizwe public WiFi network at their own risk, as there are a number of potential risks to watch out for when using the network.

So says James Devine, CIO of Project Isizwe, who points out that as long as users are aware of the risks and take measures to limit the exposure, the benefits of free public WiFi far outweigh any risk.

Project Isizwe is a non-profit organisation which aims to bring the Internet to people across SA by facilitating the roll-out of free WiFi for public spaces in low income communities. It offers free WiFi access with no passwords or logins. Users connect, click and surf in open public spaces around schools, universities, libraries, sports clubs, community centres and parks.

"The fact is that every effort to move the world forward brings risk," says Devine. "Electricity, water, online banking - everything we take for granted today was initially confronted by blockers that said 'it's too risky'. Access to the Internet has many more advantages to a larger portion of society than, for example, credit cards, so with education and certain security protocols, it is a risk worth taking."

Real danger

World Wide Worx MD Arthur Goldstuck is also of the view that the benefits of connecting to public WiFi far outweigh the security risks, especially if users are educated on how to select the correct WiFi connection.

"The truth is that the effort it takes to intercept communication on a WiFi hotspot is highly unlikely in an environment with minimal returns."

Goldstuck points out the real security risk in this environment, among the likely users of free hotspots, is not financial but around privacy. "The ability of hackers to get into someone's e-mail account and compromise their communications is a real danger. While it remains a remote possibility in most of the current free hotspots being created in urban areas, it is probably only a matter of time before there is a breach."

However, he believes that if users are given some education on the issue, and care is taken to ensure it is a legitimate hotspot, it is an even more remote possibility.

Dominic White, CTO at information security company SensePost, says using public WiFi exposes users to two potential risks - the first is that people can monitor some of the user's communications; the second is that someone could attempt to modify their communications.

"Specifically, the monitoring could reveal what sites you are visiting, when, how long, and how much you're interacting with them. For some sites, you can see the actual content, although this is becoming rare with more and more sites making use of HTTPS/TLS and it's most secure implementation using 'certificate pinning'."

White explains the active interception could reveal more of the user's activities, and could allow communications to be modified. This can be limited through the use of 'access point isolation' where no two nodes on the WiFi network are able to communicate with one another.

"Lastly, the use of public WiFi networks could allow attackers to set up fake access points with the same name as the public WiFi network, and conduct slightly more advanced attacks against users."

For Arnaud Le Hung, Southern Europe and Africa marketing director at Aruba Networks, public WiFi is not a safe place by default, as its aim is to provide an Internet access to all and Project Isizwe goes even further by providing free access.

"Therefore, they [Project Isizwe] can't provide security but each user must behave safely. Project Isizwe is great news for South Africa, but you, as the user, need to behave safely and only do what you need to do using this kind of access," says Le Hung.

According to Doros Hadjizenonos, country manager of Check Point SA, a security solutions vendor, while public WiFi users need to be aware of security best practices, the vendors or hosts rolling these out need to be just as cautious.

Risk mitigation

Devine says Project Isizwe has several automated and manual processes in place to mitigate the risk of users on the network. However, he notes that as with all things security-related, these are not open for discussion in public forums.

"What I can share with you is that all traffic is filtered across all the networks and access to pornography, etc, is blocked - this is the same for all Torrent and Botnet sites. All the standard practices are in place - firewalls, client isolation and abstraction zones exist and are monitored," he explains.

"We, at Project Isizwe, are always looking at ways to increase security on the network and there are some very interesting developments relating to Hotspot 2.0 Release 2. We are also looking at several parallel projects at the moment, investigating not only increasing security on the networks but keeping the same simple click to connect methodology."

Devine notes Isizwe's biggest challenge relating to security is the splintered and fragmented ecosystem of devices that have to be catered for, adding these mean planning a migration to things like Hotspot 2.0 very difficult.

"The vast majority of our users are from low income brackets and do not always have the latest phones and, as such, do not support the latest security standards like Hotspot 2.0. A large portion of our users do not have a tech-savvy backdrop and if the process to connect is too complicated, they would be unable to make use of the service. Security is always in the forefront of our minds when we are enhancing the network."

Project Isizwe's tips for Internet security

Admire Moyo

ITWeb's business editor.

Admire Moyo is ITWeb's business editor. He has been a tech journalist at ITWeb since 2010. Before joining ITWeb, Admire worked for The Herald newspaper based in Zimbabwe. He holds a BA degree (English and History) from Africa University.